Cybersecurity analysts have discovered links connecting the WannaCry ransomware to the Lazarus Group—a cybercrime syndicate with suspected links to the North Korean government.
The WannaCry ransomware cyberattack carried out across the world last week left cybersecurity experts frantically searching for clues that would lead them to the perpetrators of the worst cybercrime in history.
Researchers at Kaspersky Lab, a Russian cybersecurity firm, published a post on Monday detailing a section of code that shared usage with an early WannaCry variant from February 2017 and a February 2015 sample from a backdoor program called Contopee, which has been attributed to the notorious Lazarus group.
The commonality was first discovered by a Google security researcher, Neel Mehta, who shared his findings through a cryptic message on Twitter. Building on this revelation, Kaspersky, and several individual researchers, began investigations to unearth the origins of the WannaCry ransomware.
“There’s no doubt this function is shared across these two programs,” Matthieu Suiche, a white-hat hacker and the founder of the security firm Comaeio Technologies told Wired. “WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”
Lazarus is an advanced persistent threat group behind some of the most debilitating cyberattacks of the last decade. Reportedly operating under control of the North Korean government, Lazarus has been directly or indirectly responsible for the Sony Wiper attack, the Bangladesh bank heist, and the DarkSeoul operation, besides several other cybercrimes. Operation Blockbuster—an alliance of key IT security firms working to combat multiple cyberespionage campaigns—had earlier discovered that Lazarus operates as a 'malware factory' that produces new samples of malicious code through independent entities.
Kaspersky said that they “strongly believe the February 2017 sample was compiled by the same people or by people with access to the same source code as the May 2017 WannaCry encryptor used in the May 11th wave of attacks.”
But concrete proof linking the WannaCry malware campaign to Lazarus, and hence North Korea, is yet to be discovered. While researchers at Symantec found similar connections as their counterparts at Kaspersky—“code in WannaCry... historically unique to Lazarus tools”—they acknowledged that Lazarus' involvement cannot yet be proved without a doubt, reported Cyberscoop. “While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections,” said a statement from Symantec.
There is a possibility of WannaCry's creators having lifted the relevant code from a North Korean sample just as they did with the EternalBlue code from the US National Security Agency (NSA). EternalBlue is a code—purportedly developed by the NSA to exploit vulnerabilities in Windows' operating systems—that was first leaked in April 2017 and then used in the WannaCry cyberattack last week.
However, the theory of WannaCry's perpetrators having planted a ‘false flag’ to fake attribution to an innocent party, while possible, is improbable. “Attribution can be faked,” Suiche told Wired, “but that would be pretty smart. To write ransomware, target everyone in the world, and then make a fake attribution to North Korea—that would be a lot of trouble.”
With so much speculation surrounding the origins of this malware, far more investigation is required by the world's cybersecurity researchers if its creators are to be identified and brought to justice.
The WannaCry ransomware has infected over two lakh systems (and counting) across 150 countries, with the most notable victims including the National Health Service (NHS) hospitals in the UK, American logistics firm FedEx, Russia’s Interior Ministry, Spain’s telecommunications company Telefonica, and even a few state government agencies in India.